You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by "Fabrice BELLINGARD (JIRA)" <ji...@codehaus.org> on 2006/01/13 10:10:01 UTC

[jira] Commented: (MNG-553) Secure Storage of Server Passwords

    [ http://jira.codehaus.org/browse/MNG-553?page=comments#action_55698 ] 

Fabrice BELLINGARD commented on MNG-553:
----------------------------------------

I just want to mention that this issue looks more than just minor (at least to me! :)). 
Indeed, I want to spread Maven 2 all over my company (thousands of developers), but the fact that it is not possible to encrypt passwords in Maven (at least in the settings.xml file for the proxy parameters) does not encourage security managers to allow me to do so... 
I've already talked a lot about Maven 2, and lots of developers are willing to use it. But I won't be able to distribute Maven in my company unless this issue is resolved. That's why I find that this issue is at least Major, and I will hardly be able to wait till 2.1 (looking at the bug list to fix before releasing it)...

> Secure Storage of Server Passwords
> ----------------------------------
>
>          Key: MNG-553
>          URL: http://jira.codehaus.org/browse/MNG-553
>      Project: Maven 2
>         Type: Improvement

>     Versions: 2.0-alpha-3
>  Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
>     Reporter: J. Michael McGarr
>     Priority: Minor
>      Fix For: 2.1

>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.  
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml.  They are currently being stored as plain text and could definately be considered a security breach.  Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds).  I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org